State-Sponsored Attack Hijacks Notepad++ Update Infrastructure to Deliver Malware
State-Sponsored Attack Hijacked Notepad++ Update Infrastructure
The maintainer of Notepad++ has confirmed that state-sponsored threat actors compromised the application’s update delivery mechanism, redirecting update traffic to malicious servers through an infrastructure-level breach.
According to Notepad++ developer Don Ho, the attackers did not exploit a vulnerability in the Notepad++ codebase itself. Instead, they compromised the hosting provider’s infrastructure, allowing them to intercept and manipulate update traffic intended for notepad-plus-plus.org.
“The attack involved infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org,” Ho said.
The precise technical method used to redirect the traffic remains under investigation.
Targeted Update Redirection Campaign
The disclosure follows the release of Notepad++ version 8.8.9, which addressed an issue where WinGUp (the built-in updater) was intermittently redirected to malicious domains. Due to insufficient verification of the authenticity and integrity of downloaded update binaries, attackers capable of intercepting network traffic were able to substitute legitimate updates with trojanized executables.
Evidence suggests the campaign was highly targeted. Only select users had their update traffic redirected to rogue servers, where poisoned binaries were served. The attack is believed to have begun as early as June 2025, remaining undetected for over six months.
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Attribution and Infrastructure Compromise
Security researcher Kevin Beaumont linked the exploitation activity to threat actors operating from China, noting that the campaign was used to compromise systems and facilitate further network intrusions.
Further investigation revealed that the original hosting provider’s shared infrastructure was compromised until September 2, 2025. Even after the attackers lost direct server access, they retained credentials to internal services until December 2, 2025, enabling continued redirection of update traffic.
Mitigation Measures
In response to the incident, the Notepad++ project has migrated its website and update infrastructure to a new hosting provider. The maintainer has emphasized that the breach was external to Notepad++ itself and stemmed from third-party infrastructure compromise.
Users are strongly advised to update to the latest Notepad++ version and verify the integrity of any downloaded binaries, especially if updates were installed during the affected timeframe.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Sources: thehackernews.com, notepad++ blog
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
